Chrome OS security holes found, patched

At Google's Pwnium hacking competition, two new security exploits in Chrome OS were demonstrated, while at Pwn2Own a Chrome Web browser problem was found that also impacted Chrome OS. All three problems have now been patched.

The first exploit, and prize of $150,000, was awarded to a George Hotz, a well-known researcher hacker known as "Geohot" won $150,000 for an exploit chain six deep on the HP Chromebook 11. This hack resulted in a persistent program executing on Chrome OS. It was, by no means, a simple crack. It involved getting four different security holes lined up perfectly. These were: memory corruption in Chrome's V8 JavaScript engine; a command injection in Crosh, Chrome OS's limited shell; a path traversal issue in CrosDisks, the program that mounts and unmounts file systems in Chrome OS; and an issue with file persistence at boot.

This time around Pinkie Pie was able to show off sandboxed code execution and kernel out of bounds (OOB) write. This exploit used two new holes. One, involved memory corruption in the graphics processor unit (GPU) command buffer, while the other invoked a Kernel OOB write in the GPU driver.

Dharani Govindan, a Google Chrome Test Engineer Lead, said of Geohot and Pinkie Pie's exploits, "We’re delighted at the success of Pwnium and the ability to study full exploits. We anticipate landing additional changes and hardening measures for these vulnerabilities in the near future. We also believe that both Pwnium submissions are works of art and deserve wider sharing and recognition."

The last exploit was revealed during the Pwn2Own Web browser cracking competition. VUPEN, the ace French security company and cracking team, while breaking into Chrome OS, found a bug that left exploitable free memory in Blink bindings. Blink is Google's WebKit Web browser engine fork.

Why did Google encourage hackers to break its prize operating system for real money? Chris Evans, a Google security engineer who has been on the Chrome security team since the start told CNET, "If you want high-quality security, you have to pay for it." Evan also said "The prize is high because the amount we can learn from it is high. We can close whole classes of bugs, while devising new hardening measures."

A Google spokesperson added, "These competitions allow us to patch entire classes of bugs to protect our users from real harm." She concluded, "Google already patched all bugs used for these demonstrated Chrome browser and Chrome OS exploits before the end of day Friday." Clearly, these competitions work.